Behavior

When executed, there is a 15 out of 16 chance that Zuc will search for an uninfected application by searching Desktop files for an APPL resource. 1 in 16 times, it will use a recursive search to find uninfected applications on external volumes such as AppleShare. It uses the system time to determine which method it uses.

It checks the name of the resource creator to make sure it is not one of the following: SpDo', 'XPRS', 'DFCT', 'VGDt', 'VIRy' 'OMEG'. It will avoid the file if it is one of these. When a suitible file is found, it increases the size of the CODE 1 resource and appends its code to it.

The virus will only work on MacOS 4.1 and later with ROMs smaller than 512 kilobytes.

Payload

Zuc has two likely intended payloads and some unintended ones. In most cases, it changes the desktop pattern. The virus also creates a VBL routine that causes the cursor to bounce whenever the mouse button is pressed. The unintended ones are long delays and heavy disk activity, which may cause the system to become unusable, especially after Finder becomes infected.

Variants

Zuc.B is relatively similar to Zuc.A. Zuc.C is also relatively similar to the original. The difference with Zuc.C though is that its payload only activates after 1990.08.13. Zuc.C was also discovered in Italy.

Effects

Zuc was first sighted in Italy. Zuc.A never became widespread. By late fall of 1990, Zuc.B had spread to the US, hitting Cornell university on December 7. It came on a disk of a student who had returned from Italy.

Name and Origin

The virus was discovered in Italy in March of 1990 where it is believed to have originated. It takes its name from Don Zucchini who is reported to have discovered it.

Other Facts

The fact that the virus has an infection trigger date of any time after 1989.11.01 suggests it may possibly have been written far earlier than the 1990.03 discovery date.